More

More

Washington State Board of Accountancy Revises Rules on Cloud Services

by Mark Hugh, CPA | Feb 01, 2018
cloud-server-and-touch-screen-blog-horizontal-400x250

Recently, the Washington State Board of Accountancy revised its rules on client confidentiality to reflect the growing prevalence of CPAs and firms using cloud-based services that receive and store confidential client information. The new changes are effective February 24, 2018.

With the migration of business models to cloud services, the protection of client information has become more complex and technical. For example, for record storage there was a single physical location and a single secure point of access. With the migration to cloud services, it is difficult to determine if a cloud-based service provider has adequate cybersecurity safeguards.

With the revisions, the Board is modifying its former standard of requiring written consent for use of third-party service providers and conforming more closely to AICPA interpretations.

Before the Change

Before the change, there were three applicable AICPA standards, one on integrity and objectivity, one on confidentiality, and one on professional misconduct. And two applicable Board rules, one on confidentiality and one on professional standards.

  • On integrity and objectivity, AICPA ET Section 1.150.040 provides that in some cases, a CPA should disclose the use of a third-party service provider to the client but has an exception for administrative support services such as record storage, software application hosting, or authorized e-file tax transmittal services.
  • On confidentiality, AICPA ET Section 1.700.040 provides that when disclosing information to third-party service providers, a CPA must either determine that the third-party service provider has adequate safeguards, or alternatively obtain client consent.
  • On professional misconduct (acts discreditable), AICPA ET Section 1.400.005 provides that a CPA must use the conceptual framework of identifying threats, evaluating threats, applying safeguards if necessary, and documenting that safeguards were applied. Under this interpretation, it is considered professional misconduct if the CPA cannot demonstrate that safeguards were applied that eliminated or reduced significant threats to an acceptable level.
  • On confidentiality, Board rule WAC 4-30-050(3) required that a CPA could not disclose any confidential communication or information without the specific consent of the client.
  • On professional standards, Board rule WAC 4-30-048 requires that if any professional standards differ from the requirements in Board rules, Board rules prevail.

After the Revision

With the new revision, the Board is conforming to the AICPA interpretation on confidentiality and allow CPAs to either determine that the third-party service provider has adequate safeguards, or alternatively obtain client consent.

The Board recognized that there was confusion among CPAs over whether they were required to obtain client consent before using a cloud-based service provider. Much of the misunderstanding resulted from the administrative support services exception in the AICPA’s integrity and objectivity interpretation. Under this rule, a CPA is not required to disclose or obtain consent from the client to use of a third-party service provider for administrative support services. However, if the CPA uses a third-party support provider for administrative support services, under the AICPA’s confidentially interpretation, the CPA is still required to either determine that the third-party service provider has adequate safeguards for client information, or alternatively obtain client consent.

And, neither AICPA interpretation was consistent with the Board’s rule, which required client consent before releasing any client information to a third-party service provider. Because Board rules prevail, client consent was required.

blog-pullout-mark-hugh-cloud-services-sidebar-largeMy firm uses Microsoft Exchange for email hosting and Microsoft OneDrive for storage of records. Because client consent was required, my engagement letters contained the standard paragraph “as part of providing professional services to you, we use secure cloud-based storage services from Microsoft for hosting and storage of all data and communications. By agreeing to this engagement, you consent that our use of these services is acceptable to you.”

With this change, I do not plan on removing that language. Under the new standard in Board rule and existing AICPA rules, if a CPA decides to not obtain client consent, but determines the third-party service provider has adequate safeguards, it is still professional misconduct unless the CPA can demonstrate that safeguards were applied that reduced or eliminated the threat to the confidentiality of the client’s information to an acceptable level.

Before or after this change, I cannot demonstrate whether Microsoft has applied adequate safeguards, as I am not competent to evaluate their systems. Those are programming skills, not CPA skills. And, if I objected to any language in their standard software licenses regarding adequate controls, I doubt they would address my concerns.

Therefore, rather than determine whether a third-party service provider has adequate safeguards, I will continue to follow the simplest, lowest risk, readily documented, and most elegant solution, to continue to obtain client consent in my engagement letters.

 

The complete text of the new section WAC 4-30-050(4) reads:

(4) Disclosing information to third-party service providers: Licensees, CPA-Inactive certificate holders, or nonlicensee firm owners must do one of the following before disclosing confidential client information to third-party service providers:

(a) Enter into a contractual agreement with the third-party service provider to assist in providing the professional services to maintain the confidentiality of the information and provide a reasonable assurance that the third-party service provider has appropriate procedures in place to prevent the unauthorized release of confidential information to others. The nature and extent of procedures necessary to obtain reasonable assurance depends on the facts and circumstances, including the extent of publicly available information on the third-party service provider's controls and procedures to safeguard confidential client information; or

(b) Obtain specific consent from the client before disclosing confidential client information to the third-party service provider.

Hugh_DSC5776_SmallMark Hugh, CPA, is the principal of Mark Hugh PLLC. He is a CPA member of the Washington State Board of Accountancy. You can contact him at mark@markhugh.com.

Please log in to post a comment.

ABOUT WSCPA

The Washington Society of Certified Public Accountants is the only organization in the state of Washington dedicated to serving the professional needs of CPAs, educating consumers about CPAs and the services they provide, and encouraging students to study accounting and enter the profession.

Your Profession. Your Future. Your Advocate.

CONTACT

Washington Society of CPAs
902 140th Ave NE
Bellevue, WA 98005-3480

  • (P) 425-644-4800
  • (F) 425-562-8853

The WSCPA's business hours are 7:30 a.m. to 4:30 p.m., Monday through Friday.